Are you who you say you are?
Bala Kumar: Multifactor authentication is key. It's important when it is offered as an option and it's not something that you're required to do. Don't avoid it.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's Hacking Humans podcast where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner, and joining me is Joe Carrigan from Harbor Labs and the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: We've got some good stories to share this week, and later in the show, my conversation with Bala Kumar. He is Chief Product Officer at Jumio, and we're talking about fraud in the travel industry.
All right, Joe, we've got a good bit of follow-up, but to start off with here, I'm going to start things off, I believe our last show we were talking about law enforcement and their ability to track cryptocurrency, and the book I was trying to remember that I couldn't grasp was -- it's called "Tracers in the Dark" and it's written by Andy Greenberg, who certainly we're familiar with, great author Andy Greenberg, and our CyberWire pal Rick Howard actually interviewed Andy when that book was released. So I recommend, if you want to check out that interview, learn more about "Tracers in the Dark," go to our website, thecyberwire.com, and you can search for Rick Howard's interview with Andy, and it's good stuff. We've got some stuff from some listeners here. Joe, you want me to start things off here, or do you want to have the honors?
Joe Carrigan: I'll read the first one. You can read the second one.
Dave Bittner: Okay.
Joe Carrigan: So this one says, "Hi, Dave and Joe. My wife just had something interesting happen to her. We never shop at Dick's Sporting Goods." I also don't shop at Dick's Sporting Goods, probably because I'm not that athletic.
Dave Bittner: Fair enough. I was there recently buying lacrosse gear for my youngest son. He took up lacrosse this --
Joe Carrigan: The Maryland state team sport.
Dave Bittner: That's right. That's right.
Joe Carrigan: That's right. "But yesterday she used her American Express card to purchase a gift card from Dick's Sporting Goods for a birthday for a family member."
Dave Bittner: Okay.
Joe Carrigan: A family friend, rather.
Dave Bittner: Yup.
Joe Carrigan: "It looks like Dick's Sporting Goods uses a third-party platform called 'blackhawknetwork.com' when purchasing gift cards from the official Dick's Sporting Goods website."
Dave Bittner: Okay.
Joe Carrigan: "Today she received several fraud alerts from a different credit card, her Bank of America MasterCard. The Bank of America MasterCard had also been used at Dick's Sporting Goods multiple times successfully before it started getting declined. What's going on here? It would have been pretty standard credit card fraud had the same Amex PIN that she used yesterday been used for the fraudulent transactions, but this is a completely different credit card. The best guess I can think of is that the attackers already had my wife's Bank of America credit card from a breach and they also somehow found out that she made a purchase at dickssportinggoods.com or blackhawknetwork.com and they immediately started using the other credit card, the one they had access to, to also make purchases at Dick's Sporting Goods in an effort to make the transactions appear more legitimate. This seems a bit far-fetched, so this might be just a very unlikely coincidence. However, we're a bit concerned that some attacker has more access to her data than is standard -- than a standard instance of credit card fraud. Is there a simple explanation? Thanks." I don't know. If you're doing this on a computer, I would definitely scan the computer for malware. What do you think, Dave?
Dave Bittner: Well, first, I think it could just be a coincidence.
Joe Carrigan: It could be a coincidence. You're 100% correct. I forgot to leave out the obvious.
Dave Bittner: Yeah.
Joe Carrigan: Or to -- I left out the obvious there.
Dave Bittner: As we know, our brains are pattern-matching machines, and so they want to connect the -- really wants to connect the dots.
Joe Carrigan: We often see patterns where there are none.
Dave Bittner: Right, right.
Joe Carrigan: But this is weird, that you never shop at Dick's, and all of a sudden, you go and you use an Amex there and next thing you know your MasterCard is being used fraudulently at the same location.
Dave Bittner: Right.
Joe Carrigan: I'm assuming this was all online because it says that they went to dickssportinggoods.com.
Dave Bittner: Yeah.
Joe Carrigan: I don't know if that's the case. Matt can -- Matt is the name of the listener that wrote in. I think I said that already, I don't know, but I'm not going to go back and listen to the recording, Dave, until this episode comes out. But anyway, so if Matt, if you want to clarify, we'd be happy to hear the clarification, but I think, from our standpoint, it looks like a coincidence. I wonder where you used the MasterCard last.
Dave Bittner: Well, the other thing I wonder is, do they have any of these credit cards stored in their browser?
Joe Carrigan: Yeah.
Dave Bittner: Because that could be -- if they have the MasterCard in the browser, it's possible, it's plausible that perhaps the Dick's Sporting Goods site was compromised, or perhaps their browser was compromised, and so it's harvesting that information from the browser.
Joe Carrigan: Yeah, maybe we'll see a news story coming out about how Dick's Sporting Goods was compromised, but I doubt it. I mean, that's an ecommerce site. Those are pretty standard things. I would be surprised to see that come out. I don't know. I'm stumped.
Dave Bittner: Oh, yeah, I mean, Dick's is at the level, that tier where you would be surprised to see run-of-the-mill, you know, credit card -- someone injecting some code into their site to steal credit cards. That would be unusual.
Joe Carrigan: Yes.
Dave Bittner: But not completely out of the realm of possibility, I suppose.
Joe Carrigan: Yeah, somebody contaminated a JavaScript library years ago to do exactly this.
Dave Bittner: Yeah.
Joe Carrigan: But I can't remember all the details about it off the top of my head.
Dave Bittner: Yeah. No, I think it's mostly a mystery. I'd love to hear if any of our listeners are shouting at their mobile devices right now and saying, "I know what it is. I know what it is."
Joe Carrigan: Write in and let us know.
Dave Bittner: Write in and let us know, yeah. Thank you for writing in, Matt. We've got another note from a listener. This is from someone named King who is writing about our discussion of QR codes from Episode 243, and they said, "In general, I agree with your security concerns about QR codes, but as with so many useful tools, it is not the mechanism itself that is the problem but our use or misuse of it. A QR code is really just a fancy URL, and like hovering over a URL on a webpage, I always use a QR code scanner to see what is encoded first.
Joe Carrigan: Right.
Dave Bittner: And you mentioned that, Joe. You have tools to do that as well.
Joe Carrigan: That's right.
Dave Bittner: King says, "There are good uses for QR codes. I agree with Joe. I'm not a fan of reading a menu on my phone." I just saw an article today that said restaurants are doing away with that because people don't like it.
Joe Carrigan: Yeah. So I'm not in the minority here.
Dave Bittner: No, no, I don't think so. King goes on and says, "But COVID calls many restaurants to abandon menus, and we do all carry around perfectly usable display devices." Fair enough. "Sometimes the world changes and we old guys just have to deal." Yeah, that's true. It's sad but true.
Joe Carrigan: Yeah. Man, I hate that. No, no, I want the world to remain the same, Dave.
Dave Bittner: Yes, exactly.
Joe Carrigan: At least until I'm dead.
Dave Bittner: Right. As a friend of mine says, the world is not a museum for you to go visit. "I'd rather read the menu on my phone than have a server recite it to me, which has happened." Oh, that would be brutal.
Joe Carrigan: Yeah. I would also rather read it on my phone.
Dave Bittner: Right. They say restaurant bills are very convenient to pay via QR code. I've done that.
Joe Carrigan: I tried to do that this past weekend and it didn't work.
Dave Bittner: Really?
Joe Carrigan: Yeah.
Dave Bittner: I've done it a few times.
Joe Carrigan: It was an Apple Pay thing and I tried to use the Google system and I just couldn't get it to work.
Dave Bittner: Okay. I've done a few times. It is convenient.
Joe Carrigan: Yeah, maybe, again, I'm old-manning this, I don't know.
Dave Bittner: Yeah. King says, "Of course, there are bad uses. A QR code on a gas pump is a terrible use case. Any placement where you can't know who put it there should not be trusted, like a sticker on anything public."
Joe Carrigan: Right.
Dave Bittner: Joe, I was actually out and about and I was buying some gas the other day and I took a picture of the collection of QR codes on the gas pump I was using.
Joe Carrigan: There's a collection of QR codes on the gas pump?
Dave Bittner: I sent it over to you. I don't know if you can -- I sent it to you via text message.
Joe Carrigan: Oh, my phone's turned off right now for the sake of the podcast.
Dave Bittner: Gotcha. So this is -- I'm guessing that all of these QR codes are legit, but they are just stickers on the gas pump, and there's like a Google Pay one and there's an Apple Pay one and there's another one, and yeah, I'm not going to trust those. Like, one of them's halfway peeled off and, you know, just -- be one thing if it was screen-printed on to the pump, you know, like, if it looked like this is something that came with the pump itself.
Joe Carrigan: Right.
Dave Bittner: But these are all just stickers.
Joe Carrigan: Yeah.
Dave Bittner: So . . .
Joe Carrigan: Why would I trust a sticker?
Dave Bittner: Yeah.
Joe Carrigan: I mean, my son got a sticker that -- printed up, that it's a QR code that rickrolls people.
Dave Bittner: Nice.
Joe Carrigan: He's going to put it on his car.
Dave Bittner: Okay. King goes on and says, "A QR code that evaluates to a link-shortening service is suspect." I agree.
Joe Carrigan: Yup.
Dave Bittner: "The great thing about QR codes is you could encode anything." That's true. He says, "I love QR codes. They're easy and convenient, but like any digital data, you can't automatically believe they provide legitimate data. Maybe one day QR codes will have a digital signature. Thanks, and love the show."
Joe Carrigan: Oh, that's a good point. That would be a very large QR code, making the codes larger.
Dave Bittner: Right.
Joe Carrigan: But King makes an excellent point. You could put any URL into a QR code. Why do you need a link-shortening service? You don't. Don't do that. Put a URL to your -- to your website.
Dave Bittner: Right, right. Don't obfuscate it any more than it is from the QR code.
Joe Carrigan: It's already illegible by humans.
Dave Bittner: Right, right. Absolutely. All right, well, thank you, King, for writing in, and also to Matt. We do appreciate it, and of course, we'd love to hear from you. You can email us. It's hackinghumans@thecyberwire.com. All right, Joe, I'm going to start things off for us here. My story comes from Ars Technica. This is written by Jon Brodkin, and it's "Titled 48 States Sue Phone Company that Allegedly Catered to Needs of Robocallers."
Joe Carrigan: Good.
Dave Bittner: So I don't know if your first question about this is the same as mine.
Joe Carrigan: Was Maryland one of those states?
Dave Bittner: Well, close. I wanted to know who didn't get on board.
Joe Carrigan: Right, yeah, who are the two that didn't sue?
Dave Bittner: Right, right. And it turns out it's Alaska and South Dakota. No idea what those two states have in common, but sparse populations. They did not -- sparse populations, right. They did not choose to get on here. This was filed in the U.S. District Court for the District of Arizona against a company called Avid Telecom, their CEO and their VP of Operations, and this comes from work done by the Anti-Robocall Multistate Litigation Task Force.
Joe Carrigan: Ah.
Dave Bittner: Didn't know there was such a thing, but I'm glad they're out there.
Joe Carrigan: Yeah.
Dave Bittner: And they say that this organization sent billions, with a "B" --
Joe Carrigan: Right.
Dave Bittner: Of robocalls out and really set themselves up in such a way to make it easy for scammers to use robocalling.
Joe Carrigan: Right.
Dave Bittner: And more importantly, the FTC and other organizations contacted Avid Telecom and said, "Hey, knock it off." In fact, Verizon had cut off -- had cut them off from access to Verizon's system.
Joe Carrigan: Really?
Dave Bittner: Yeah, because they had sent so many calls.
Joe Carrigan: Too many scam calls.
Dave Bittner: Yeah, over, according to this article, over 10 million over Verizon, and so the FCC and these attorneys general have gone after them and said, "Okay, you're not going to listen to us. We've been -- we've warned you."
Joe Carrigan: Right.
Dave Bittner: Right? We have warned you in every possible way, and no, they just kept on at it, kept -- presumably making a lot of money doing it.
Joe Carrigan: Right.
Dave Bittner: And now these --
Joe Carrigan: 7.5 billion robocalls, it says.
Dave Bittner: Right. So these companies are suing them.
Joe Carrigan: Actually, that was calls -- it says that's the calls to the phone number on the National Do Not Call Registry.
Dave Bittner: Right.
Joe Carrigan: So it's like that was absolutely useless.
Dave Bittner: Yeah. So this says, "This lawsuit seeks a jury trial, a permanent injunction to prevent additional illegal robocalls, and financial penalties including restitution or other compensation on behalf of residents for illegal calls." I think this is great.
Joe Carrigan: Yeah, it's wonderful.
Dave Bittner: I think this is great, and there's also part of me that says it's about frickin time.
Joe Carrigan: Right. Yeah, who's next on this list?
Dave Bittner: Yeah. It's about time that we're seeing real stuff going after these folks. I have to say, to be fair, it seems as though robocalling has been in the crosshairs of some of these government agencies and this is part of that, so I'm happy to see this. Too many people have been scammed. This is -- it's not just a nuisance. Scammers take advantage of this to be able to reach out to people and actually, you know, steal good money from them.
Joe Carrigan: Right. So what happens is you have the major providers that provide all the infrastructure benefits and their cell providers and also local carrier providers as well, but then you have these other phone companies, like this avid Telecom, that are just leasing services from these infrastructure companies and all they're doing is then providing a bridge and access to their customers.
Dave Bittner: Right.
Joe Carrigan: To get on the network for some fee.
Dave Bittner: Right.
Joe Carrigan: And these guys have made that looks like a boatload of money letting people just scam Americans out of -- I would really like to see if there's a number on the amount of fraud losses that have happened here.
Dave Bittner: Yeah.
Joe Carrigan: I don't think there's any way to measure that, but I think that's going to be difficult, but it's interesting. It would be an interesting statistic to see, even if they come up with some kind of estimate, you know.
Dave Bittner: In this article, they talk about how these folks, these folks at Avid, says they facilitated over 5 billion calls from June 2020 to February 2021 for Sumco, which is facing a proposed $300 million FCC fine for, wait for it, auto warranty scam robocalls.
Joe Carrigan: How big is that fine again?
Dave Bittner: $300 million.
Joe Carrigan: That's nice.
Dave Bittner: And it says the defendants had direct knowledge that Sumco was sending them illegal call traffic, and it also talks about how they deliberately tried to get around the stir-shaken authentication technology that was supposed to -- or that has gone into effect to verify the accuracy of caller ID.
Joe Carrigan: Right. So they're getting around these -- the technologies that are there.
Dave Bittner: Right, right. The things that are put in place to help protect us from these, the allegations are that these folks were deliberately trying to get around them to continue, you know, the lucrative business that they were in.
Joe Carrigan: That's right.
Dave Bittner: Yeah. So I'm happy to see this, and nice reporting here from Ars Technica and Jon Brodkin. That's what I have this week, Joe. What do you got for us?
Joe Carrigan: Dave, I think this might be the first time in all of Hacking Humans history that we have two feel-good stories.
Dave Bittner: Okay.
Joe Carrigan: Usually we have something where everybody goes, "Oh, that's awful."
Dave Bittner: Right. It's some kind of doom and gloom.
Joe Carrigan: Right.
Dave Bittner: Okay.
Joe Carrigan: But my story is also a feel-good story, and it comes from Cole Sullivan from News9, or 9News, rather, in Denver, Colorado.
Dave Bittner: Okay.
Joe Carrigan: And there is a resident of Denver who has moved out to the area. His name is Phil Tamchina and he is buying a house, or has bought a house, but while he was buying his house, as we often do, he had to wire money for settlement to a -- some kind of settlement company.
Dave Bittner: Right.
Joe Carrigan: Of course, there was somebody in the chain, and he got an email that said, hey, it's time to wire the money. Send the money to this account with these details. And he does it, and he says, "I didn't inspect it really hard because I'm very busy," but the amount of money he sent was 370 -- I'm sorry, I have that backwards because I'm dyslexic, $730,000.
Dave Bittner: Wow.
Joe Carrigan: So it's a lot of money.
Dave Bittner: Yeah.
Joe Carrigan: Right? And 11 days later, 11 days, Dave, he finds out that the people that were supposed to receive the money had not received the money and that his realtor tells him, "It looks like you've been a victim of a wire fraud scam." And he says he goes numb.
Dave Bittner: Yeah.
Joe Carrigan: So he starts looking into it and he calls the police, and the police have a relatively new detective. Her name is Taylor Hickam, and she gets the case and she starts tracing it down, and lo and behold, she finds that the entire sum of $730,000 is still sitting in the bank account at the bank where he sent it. So they were able to recover all of it.
Dave Bittner: Wow.
Joe Carrigan: After 11 days. Now, Hickam thinks that the -- Detective Hickam thinks that the bank that received the funds said, hey, something's fishy here. We're going to need to sit on these funds for a little while, hold them, see if anybody comes looking for this because it went to this account that was set up with maybe these parameters here, or something's going on, or maybe they actually found that somebody's account was taken over, and this person logged in and said, there's an unexplained $730,000 in my account, which is entirely possible.
Dave Bittner: Sure.
Joe Carrigan: All of these scenarios are possible. So they just held on to it. They didn't let anybody wire any money out of that account, and when the police came looking for it, all of it was still there.
Dave Bittner: Wow.
Joe Carrigan: That's what it looks like happened. So this guy, Phil Tamchina, was very, very fortunate.
Dave Bittner: Yeah.
Joe Carrigan: Because --
Dave Bittner: I hope he got his house.
Joe Carrigan: He did.
Dave Bittner: Oh, good.
Joe Carrigan: He actually did get his house. The transaction did go through.
Dave Bittner: Oh, good.
Joe Carrigan: He is in the new house now, I think, but so it's great that he was able to recover the money, but I want everyone who's listening to understand, this was very lucky for Mr. Tamchina because we have had story after story after story where that is not what happens.
Dave Bittner: Yeah.
Joe Carrigan: And the person is just out the money.
Dave Bittner: Right.
Joe Carrigan: And I don't know what Phil Tamchina's financial situation is. You know, maybe $730 million -- or $730,000 is a lot of money or maybe it's not. I don't know.
Dave Bittner: Yeah.
Joe Carrigan: But I have a couple of things that I'd like to say, and this is for the listener who might be wondering, what if I'm in this situation, what do I do? So if you're wiring any amount of money, verify the wiring details with a phone call to a known good number and do not rely on any inbound communication. Don't listen to anybody on the phone that calls you and says, "Hey, we got some new wiring details. We're going to send them to you."
Dave Bittner: Right.
Joe Carrigan: "Hey, here's an email with your new wiring details."
Dave Bittner: Yeah. And don't use the phone number that's in the email or communication that's asking you to wire --
Joe Carrigan: Absolutely.
Dave Bittner: The number.
Joe Carrigan: Use the phone number on the business card of the person, look up their phone number on the internet.
Dave Bittner: Right, right.
Joe Carrigan: Look it up in the phonebook, if you still have a phonebook. Dave, do you have any phonebooks in your house?
Dave Bittner: I do not believe I do. There might be. Who knows? There's probably one hiding under something somewhere, or propping something up, but --
Joe Carrigan: When little kids come over to your house, what do they sit on?
Dave Bittner: That's right. That's a good question. Now that phonebooks are gone, what do kids sit on during holidays?
Joe Carrigan: Yes.
Dave Bittner: Like Christmas and Thanksgiving and Easter and, you know, Passover, what do kids sit on these days? I don't know. That's a good question. My -- all my kids are too old to need to sit on something.
Joe Carrigan: Well, that's good.
Dave Bittner: They probably just have booster seats.
Joe Carrigan: Yes, booster seats. So pay money for -- to replace the old --
Dave Bittner: Right.
Joe Carrigan: Biodegradable phonebook.
Dave Bittner: There you go.
Joe Carrigan: Anyway, number two, verify that the recipient received the funds as soon as you wire them. This is something that I'm kind of shocked that Mr. Tamchina didn't do. I know if I was wiring $730,000 to somebody, I'd call to make sure they got it.
Dave Bittner: Yeah.
Joe Carrigan: In fact, I was going to wire, or send about 1,000th of that to a friend of mine. This was to close out a business.
Dave Bittner: Right.
Joe Carrigan: That we had together and I still had about 730 bucks he needed. So I called him three times during that transaction, right? He was irritated with it.
Dave Bittner: "Yes, Joe, I got the money."
Joe Carrigan: Yeah, I got it, okay. Before I send it, is this the right place I'm going to send it to? Yes, this is the right place. Okay.
Dave Bittner: Right.
Joe Carrigan: Sending it now.
Dave Bittner: Right.
Joe Carrigan: Hey, did you get it? Yes. Final call, well, good, right? Yup, we're good. So that's just me, though. I mean, for me, 730 bucks, I don't even want to have to pay that money twice.
Dave Bittner: Right. Oh, sure.
Joe Carrigan: So when you -- when you wire anybody a large -- any amount of money, I would say call them and ask them, "Did you get it?" because time is of the essence here. This guy got really lucky in that the bank flagged that as fraudulent, but most of the time, you don't have that kind of time.
Dave Bittner: Yeah.
Joe Carrigan: You don't have that kind of time. They're going to try to get that money out of there as quickly as they can, and I'm sure these scammers tried to get that money out as quickly as they could. It's just the bank stopped them.
Dave Bittner: Probably, right. I suspect that you're right, and so really, in my mind, that makes the bank the hero of the story.
Joe Carrigan: Right, yeah, the bank, I think, did a great job here. And finally, the last point I want to make is, if you're going to be the custodian of money that is sent via a wire transfer, so let's say you're a settlement attorney or you're a -- some kind of bank that's going -- escrow company or whatever --
Dave Bittner: Yeah.
Joe Carrigan: It is good policy to communicate the wiring details at the very beginning of the process and then to say something like, these details will not change during the process of this transaction. This is what they will be, and we will keep this account open until such a time as this -- at least until we're done here.
Dave Bittner: Right.
Joe Carrigan: Right? And if you receive any communication, or there's anything that indicates different details, do not wire the money. Stop.
Dave Bittner: Right.
Joe Carrigan: Call us.
Dave Bittner: Right.
Joe Carrigan: It's fine.
Dave Bittner: And here's my phone number printed on this document.
Joe Carrigan: Here's my phone number printed on this business card.
Dave Bittner: Right, right.
Joe Carrigan: So it's -- this is actually something that's fairly easy to stop from happening, but you need to stop it from happening with how you behave, and there's not a lot of technological things that can prevent you from wiring money to bad guys.
Dave Bittner: Yeah, yeah. It's -- settlement is such a flurry of activity.
Joe Carrigan: It is. It's a flurry of activity and it's very stressful.
Dave Bittner: Yes.
Joe Carrigan: It's one of the top five stressful things you can do in your life.
Dave Bittner: Yes, yes, but, you know, probably at the top of the list of important things to do during settlement is the transfer of the funds.
Joe Carrigan: Absolutely.
Dave Bittner: And so that requires the highest amount of scrutiny, I would say.
Joe Carrigan: I haven't done this in, I mean, I bought my last house almost 20 years ago and we did everything with cashier's checks.
Dave Bittner: Yeah.
Joe Carrigan: I don't know if you can still do that. I would imagine you can.
Dave Bittner: Yeah.
Joe Carrigan: But if you can do that, I think that's a better solution.
Dave Bittner: Right, right. All right, interesting. Yeah, very good. Well, two happy stories this week.
Joe Carrigan: Yeah, there you go.
Dave Bittner: All right.
Joe Carrigan: Now our listeners are like, "I can't wait for next week. They better have sad stories.
Dave Bittner: That's right, that's right. Next time, yeah, it'll be -- I don't know. I don't even want to say. Okay, let's move on to our Catch of the Day. [SOUNDBITE OF REELING IN FISHING LINE]
Joe Carrigan: Dave, our Catch of the Day comes from William, and when our producer Liz forwarded this to me, Gmail said in bright red letters, "This message seems dangerous."
Dave Bittner: Okay, well, there you go. Thank you, Gmail.
Joe Carrigan: So, yes, but ahead and read this one, Dave.
Dave Bittner: All right. This says, "Dear Customer, we recently received a report of unauthorized debit and credit card use associated with this account. As a precaution, we have limited your Chase banking account in order to protect against future unauthorized transactions. To verify your account, click on "secure your account" below so you could help us confirm your account information and regain full access to your account. Warning, ignoring or giving wrong details mean you are not the rightful owner of this account and we are going to permanently lock your account if such activity is detected. Thank you for being a Chase customer and we look forward to serve all your financial satisfactions." Then there's a big blue button that says "secure my account." "Sincerely, Chase support team."
Joe Carrigan: So that's pretty good. I mean, the grammar is almost perfect until the end where it's --
Dave Bittner: Almost.
Joe Carrigan: Getting a little bit sloppy.
Dave Bittner: Almost, yeah.
Joe Carrigan: William writes, "As phishing emails go, this one's better than most. The only obvious grammatical giveaway is, quote, financial satisfactions in the final sentence.
Dave Bittner: One of my favorite songs from the Rolling Stones.
Joe Carrigan: Right.
Dave Bittner: I can't get no financial satisfactions.
Joe Carrigan: The link preview on iPhone shows a Chase login page at a marketing URL, so what that is, is that is some marketing company, or maybe they're complicit, but they've probably been compromised, and somebody has put a phishing page on that, on that web server.
Dave Bittner: Right.
Joe Carrigan: So it's a phishing kit, just catching these credentials. It is -- they don't care whether or not you have a Chase account. If you don't have a Chase account, they're not interested in catching your credentials, right? So they're sending this out to a bunch of people. Somebody has a Chase account and reads it and goes, "Oh, I better secure my account" and clicks it, gives up their username and password.
Dave Bittner: Yeah.
Joe Carrigan: And then the guys are in and they're just going to do terrible things to your bank account.
Dave Bittner: The consolidation of the banking industry in -- here in the U.S. has made this much easier for these people.
Joe Carrigan: Right.
Dave Bittner: Because there are fewer big banks.
Joe Carrigan: That's 100% correct, Dave. That is -- you know, this is -- that's a great point, because there aren't a lot of big banks anymore.
Dave Bittner: Nope.
Joe Carrigan: You know, there aren't a lot of banks around here anymore. There's Chase. There's Wells Fargo. There's Citibank. There's Bank of America, and I'm trying to think of another one and I can't.
Dave Bittner: Just, yeah, there's just a handful.
Joe Carrigan: Right.
Dave Bittner: Yeah.
Joe Carrigan: So chances are, by picking one of the big banks, you're hitting a very large percentage of the population.
Dave Bittner: Right, absolutely. All right, well, our thanks to William for sending this in. Again, we would love to hear from you. Our email address is hackinghumans @thecyberwire.com.
Joe, I recently had the pleasure of speaking with Bala Kumar. He is Chief Product Officer at Jumio, and we were talking about fraud in the travel industry. Here's our conversation.
Bala Kumar: There's been quite a bit of transformation happening, not just in the travel industry, but generally across because of the pandemic. One, there's been a significant drop-off, or there was a significant drop-off in travel. That's started to pick up now over the course of the last year or so. It's starting to come back to almost the 2019 levels, but not yet fully there. In addition to that, folks are now starting to get a lot more used to digital transformation. Companies are adopting digital transformation. End users, or consumers, are used to digital transformation. People are looking for more convenience, and so they are looking for quicker ways for them to be able to either check into hotels or to be able to pick up their cars or to be able to make their way through security controls, etc., so there's that increased need for convenience, and companies have been accommodating that through the digital transformation initiatives as well. So these are the two driving factors that -- that's caused a tipping point in how end users are interacting in the travel industry and generally other industries as well. Fraudsters, though, are now starting to take advantage of this because a lot of these conveniences mean it's being done in faceless channels, so you're not necessarily interacting with an individual. In the past, you would go into the hotel lobby. You would meet somebody. You would hand your -- hand over your driver's license, your credit card. They're able to have a conversation with you before they check you in. Now you can just go on your mobile app and you can check in to your room and you can make -- and you have a mobile key that is made available through the app itself -- or sorry, a digital key, and then you make your way to the room, right? So in this faceless channel, fraudsters are getting in and exploiting it significantly. They are taking over end users' credentials. They are passing themselves off as end users, and they are taking over accounts of end users, which means they have access to all the reward points that the end users have gained over a period of time and that essentially translates to cash as far as the fraudsters are concerned. So that's essentially what you see happening quite a bit, at least from a fraud landscape when it comes to the travel industry, and you see a lot of this path leading to other industries as well.
Dave Bittner: Can we dig into some of the details here of the ways that they're coming at individuals? You mentioned, you know, coming after their points. Is that the main thing they're after here, or what other things do they come at?
Bala Kumar: That's predominantly it. Fraudsters are not looking to travel, but if they're able to get these reward points, they're able to convert that into cash, right? So they can go online, they can trade the points. They can transfer points. There's a ton of things that they could do with points, and a lot of folks, not too many people really keep a close eye on their points. For example, when my mom traveled here to the U.S. from India, she, because it was an international flight, she gained quite a few points, but then she doesn't care about this points. It's sitting in her account, and if somebody hacks into her account, they get access to this points and it's gone, and so the end user is not even aware that, one, they have gained all these points, and now they've lost it, too, right? So few people keep a very close eye on their points. It's usually the frequent travelers. But if their accounts are compromised, then you're talking about several thousand points that the fraudster is going to get access to and that translates to thousands of dollars.
Dave Bittner: So what are the providers doing to prevent this? The airlines, the hotels, so what part do they play here?
Bala Kumar: Playing a little bit of a catch-up. They are trying to figure out the trade-off between convenience and having the right security controls in place, so there's a combination of efforts. One, you have to make sure that the individual that you're interacting with is genuine, especially in this faceless channel, and then the second thing you have to figure out is, is the ID that they're providing, is that linked to that individual, right? And is this individual using this claimed identity generally in the community. Those are the key things that they need to figure out. So to do that, some of the companies, especially in the airline space, they are leaning on government-issued IDs, so driver's licenses, passports, etc., as a means to verify that these are genuine individuals, because think about it, right, a name, address, email, phone, none of these are compromised in today's world because of all the data breaches that have occurred, a guarantee that your information, my information, or some parts of information is out there in the dark web, and so when you see a transaction come through or somebody submitting a request to check in, etc., with a name and an address or an email, you have no way of knowing whether it is the actual individual submitting it or if it's a fraudster who has access to it that is submitting it. But the moment you say, "Hey, great, thank you for this information," we would now like to see a driver's license or a passport or some form of a government-issued ID. That introduces friction for the fraudsters. Genuine users, they have the driver's licenses on them or they have the passports and they're able to provide those forms of identity, but fraudsters don't necessarily have access with the same name, address information on those IDs, so they can go ahead and try and manufacture it, not as -- it's easy do, but think about the volume of IDs they're going to have to manufacture, and so a lot of these companies are requiring these IDs to be provided through digital means, and in addition to the IDs, they're also asking for selfies, right? So take a picture of yourself, so you can match the picture, the selfie that they have taken, with a picture that's on the ID, and if you look at an ID, there are multiple security controls on ID. You'll see the actual image, you'll see a ghost image, and so companies like Jumio, there are a few of us that operate in the space, companies like Jumio, we look at the selfie, we look at the images on the ID, and make sure that it is the same individual. So it's not just matching within the document itself. There are multiple security controls that are laid into the document, so we check for all of those and make sure that this is a valid ID. Think about the last time you traveled. You went through TSA, they take your ID, and they run it through the scanner, then make sure that it is a valid ID. We run a lot of very similar checks to make sure that this is a genuine ID. So that essentially causes friction for the bad users, for the fraudsters, and that's essentially one of the primary tool that a lot of companies are using to try and keep the fraudsters out.
Dave Bittner: Do you find that some folks are reticent or hesitant to upload their government IDs?
Bala Kumar: It used to be the case a few years ago, but that is changing quite a bit, especially with digital transformation, and this is something that started even if you take an online exam, whether it's somebody in the university, etc., they are asked to furnish an ID. They want to make sure that this is a valid individual. If you take a certified Coursera course, they request -- require you to provide an ID, right? So folks over a period of time have started to get comfortable with it. There was also some concerns around taking selfies and whether people would be comfortable with that, but in the last 5, 10 years, especially with the crazy spread of mobile devices, etc., and folks actually submitting their photos, etc., on social media like Facebook and Instagram and others, they're starting to get a lot more comfortable with it now than they were 5, 10 years ago. So I would say that friction point from an end user standpoint has dramatically dropped over the last few years.
Dave Bittner: You know, I think a lot of people are on board when it comes to things like multifactor authentication for their bank accounts, you know, those things where they see direct and ongoing interaction of money. Where do we stand with the travel providers here? Are there opportunities to use things like multifactor with those organizations?
Bala Kumar: Absolutely. In fact, a lot of them have started to use it. Some of them offer it as an option. Some of this are starting to require it, but some of the tools that are being used are still bit rudimentary. They ask you for, hey, what is the color of your car, or which school did you go to, etc., and these are canned responses, something that the end user even when they set up their account, and the challenge with that is not everyone remembers what they put in a year or two years ago when they set up their account. Then there's the whole issue of is it uppercase, is it lowercase, and so that in itself introduces quite a bit of friction. When you're setting up an account, if you ask for a driver's license or a passport, if you've asked for a selfie, now we basically can have a signature of that selfie that was taken, so when that individual comes back, when you want to do that multifactor authentication or an additional authentication, you ask them just to take a selfie, a quick selfie, and if it matches what we have on file, you can greenlight them and you can let them through the door. So those mechanisms are being adopted. A few companies have started to move in that direction because it gives you much more of a foolproof way of protecting those accounts.
Dave Bittner: So what are your recommendations for consumers here? What are the best practices for them to make sure that they're protecting themselves?
Bala Kumar: I think you nailed it just a few minutes ago. Multifactor authentication is key. It's important. When it is offered as an option and it's not something that you're required to do, don't avoid it. Sign up for it. Make sure that you're using multifactor authentication. Your rewards account is not really different from your bank account. Yes, it's not real money unless you've convert it, but it is still -- it still translates to something meaningful. A lot of folks can travel. They can get a ticket for free if they're using the reward points to even make international trips, right? And that's a substantial amount of money. So you have to take -- you should take the same precautions that you would take to protect your bank accounts. Sign up for multifactor authentication. Make sure that you're signing up for an authentication mechanism that is strong and not something that can be easily guessed, so if it is things like which school did you go to and that information is already available on your LinkedIn or your Facebook profile, guess what? Fraudsters will have access to it. So make sure that you're signing up for an authentication mechanism that is that strong and is going to secure your accounts.
Dave Bittner: Joe, what do you think?
Joe Carrigan: Dave, the pandemic did cause a lot of people to go with this more digital transformation, right? This is just automation, right?
Dave Bittner: Okay.
Joe Carrigan: It's automation that users can use.
Dave Bittner: Yeah.
Joe Carrigan: That customers can use.
Dave Bittner: Sure.
Joe Carrigan: And people like it.
Dave Bittner: Yeah.
Joe Carrigan: And I get it. The fewer people I have to interact with, the happier I am.
Dave Bittner: Just want to stay in your hobbit hole and --
Joe Carrigan: I do.
Dave Bittner: Be left alone.
Joe Carrigan: I do.
Dave Bittner: Fair enough. Fair enough.
Joe Carrigan: Although I do enjoy checking in a hotel and talking to the people at the hotel. So I guess, you know, I've never had an unpleasant experience doing that, and a lot of times everybody in the hospitality industry is so great, right?
Dave Bittner: Right.
Joe Carrigan: I mean, that's why they're there.
Dave Bittner: Sure.
Joe Carrigan: But of course, this whole automation system, or all these digital transformations or whatever, are now just a new attack surface for someone to come in.
Dave Bittner: Right.
Joe Carrigan: That is one of the things that I talk about frequently, is reducing your attack surface. Now, I'm not saying that there isn't a good business case for this attack surface to exist. There is, obviously. People like it. It does provide a frictionless experience for somebody coming into a hotel. I can imagine coming into a hotel room late at night.
Dave Bittner: Yeah.
Joe Carrigan: As I've done frequently, and not having to go to the front desk, just on my phone have an app that lets me into my room. That sounds great, actually.
Dave Bittner: Actually, last time I checked into a hotel it was when we went to San Francisco for the RSA Conference. Our hotel had a completely automated check-in service with a little kiosk and it was great.
Joe Carrigan: Awesome.
Dave Bittner: Yeah, saved a lot of time, too, because there was a long line for the, you know, the actual human check-in.
Joe Carrigan: Right.
Dave Bittner: And people who have an issue or actually need to talk to a human, but for just plain old check-in, worked great.
Joe Carrigan: And did it spit your keys out or what?
Dave Bittner: Yeah.
Joe Carrigan: Okay.
Dave Bittner: Yeah. It generated the keys to check my ID. It did all that stuff. So just, yeah, it was great, a good smooth experience, just worked.
Joe Carrigan: Very nice.
Dave Bittner: Yeah.
Joe Carrigan: But you know, this is like when you go to the Southwest counter in the airport at BWI.
Dave Bittner: Yeah.
Joe Carrigan: And it's just all automated machines.
Dave Bittner: Right.
Joe Carrigan: And you don't have to talk to anybody unless you have to drop off luggage.
Dave Bittner: Right.
Joe Carrigan: You know?
Dave Bittner: Yeah.
Joe Carrigan: That's always a smooth transaction, too.
Dave Bittner: Yeah. It's nice when it is done well and it works.
Joe Carrigan: Yeah. And I'll say Southwest does a pretty good job there.
Dave Bittner: Yeah.
Joe Carrigan: Although I still think I want to talk to people, but you know what, I'm not going to talk to that many people and still get cheap airfare.
Dave Bittner: Right. There you go. There you go.
Joe Carrigan: Naturally, the bad guys are going to try to monetize their efforts anytime they're -- anytime -- I mean, that's what they do. That's --
Dave Bittner: Yeah.
Joe Carrigan: That's what the -- every year the Verizon data breach, the Verizon report, VDBR, data breach investigation report, DBIR, comes out and it says that -- like something like 90% of all cybercrime is financially motivated. That is probably never going to change. Now that we're here, I can see it going to almost 100%. There's still going to be other reasons, but they're going to be the real minority. So they're going after points if they can turn that into cash, and that's great.
Dave Bittner: Yeah.
Joe Carrigan: You know, this is a very low risk for the bad guys because some people just don't care if they lose $2,000 in point -- or 2,000 points.
Dave Bittner: Right.
Joe Carrigan: Right? That's not $2,000. It's 2,000 points. It's not a lot of money.
Dave Bittner: Yeah.
Joe Carrigan: You know, I looked at my -- speaking of Southwest, I looked at my Southwest after this interview, I wonder how many points I have. I have a substantial amount of points. I can do a round trip from here to Dallas and back with my points.
Dave Bittner: Oh, that's nice.
Joe Carrigan: It is.
Dave Bittner: I have no idea where I stand with any of my airline points. It's just -- I'm one of those people who I'm not particularly interested in it. So I -- who knows? I could have a lot. I have no idea.
Joe Carrigan: Free trips, Dave.
Dave Bittner: Yeah. I know. I should look into it should, but --
Joe Carrigan: You should.
Dave Bittner: But I'm one of those people also where I would not know if my points were taken.
Joe Carrigan: Yes.
Dave Bittner: Just wouldn't know. Wouldn't lose sleep over it.
Joe Carrigan: Yeah. Bala's very serious about the rewards points and understandably so.
Dave Bittner: Yeah.
Joe Carrigan: But I don't really see someone -- I don't really have a problem with someone who goes, "This is not in my risk portfolio. I'm not worried about this."
Dave Bittner: Right.
Joe Carrigan: You know, I don't care about that, because Bala's own mom said she doesn't care.
Dave Bittner: Yeah.
Joe Carrigan: Right? I don't know. This is something that I don't think of would -- nobody would think it would be a big loss if they lost their traveler's points unless they're really into that sort of thing. If you're really into that sort of thing, protect it. Use the multifactor authentication.
Dave Bittner: Yeah.
Joe Carrigan: I like that Bala says companies need to have a multilayered approach to fighting the fraud. I agree with that 100%.
Dave Bittner: Yeah.
Joe Carrigan: He also talks about the knowledge-based authentication that is always terrible. It's very easy to find the knowledge and you have no way of knowing if the user is going to remember it when they come back.
Dave Bittner: Right, right. Absolutely.
Joe Carrigan: Who knows what they put down?
Dave Bittner: Yeah.
Joe Carrigan: Asking for IDs and selfies creates a lot of friction for the scammer. People are more willing to do it now. I wouldn't have problems with selfies, but if somebody wanted me to upload my ID just so I could use my frequent flyer points, at that point in time, I might be like, okay, I don't care about this much, you know, because now I'm putting my ID -- if they're using another company whose security is focused, or whose focus is security, rather --
Dave Bittner: Yeah.
Joe Carrigan: Then okay, maybe.
Dave Bittner: Right.
Joe Carrigan: Right? But if I'm just going to give my ID to Southwest for them to store it, I don't know that I would trust them with that much PII. I mean, there's a lot of PII on the -- on my ID.
Dave Bittner: Yeah.
Joe Carrigan: Right? But do they already have that? I don't know. Probably do.
Dave Bittner: Probably.
Joe Carrigan: So maybe it's -- maybe it's okay. I mean, they have to know my name, my -- I don't know if they knew need to know my address, but they need to know my birth date.
Dave Bittner: Right. Well, there's all this stuff they have to verify just for TSA.
Joe Carrigan: Yeah, just to give me a ticket.
Dave Bittner: Yeah, yeah. So they are in possession of a lot of information about us.
Joe Carrigan: Yeah, so maybe it's not a bad idea.
Dave Bittner: For sure.
Joe Carrigan: Maybe it's -- maybe it's, you know, that already exists.
Dave Bittner: Yeah. All right. Well, again, our thanks to Bala Kumar for joining us. He is Chief Product Officer at Jumio, and we do appreciate him taking the time.
That is our show. We want to thank all of you for listening. Thanks to Harbor Labs and the Johns Hopkins University Information Security Institute for their participation. You can learn more at harborlabs.com and isi.jhu.edu. The Hacking Humans podcast is proudly produced in Maryland at the startups studios of DataTribe where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
